[PATCHES] authenticating users during short disconnects from AD
Volker Lendecke
vl at samba.org
Sun Jan 8 14:11:41 UTC 2017
On Wed, Dec 28, 2016 at 04:21:16PM +0100, Volker Lendecke wrote:
> On Wed, Dec 28, 2016 at 02:54:38PM +0200, Uri Simchoni wrote:
> > #2 - we optimistically try sid2xid with type unspecified, The question
> > is what to do if that fails - resolve the SIDs only for that call or for
> > all later calls? Making a mental note that this backend needs sid lookup
> > before mapping is good for backends which require this by their nature,
> > such as rfc2307 - avoid the double lookup. OTOH some backends only need
> > the SID type for allocation of new SIDs, so avoiding the "mental note"
> > might result in better offline operation with those backends.
>
> Hmm. Right. It's only for new IDs. Maybe it is in fact better to
> always do the double-roundtrip. Need to think about that a bit more.
One more thing I just found: Even autorid needs the type for some new
mappings, autorid has an alloc range for special sids. So I think we
should not generalize per domain but really per sid. This means doing
the optimistic attempt always first might really be the right thing to
do.
Volker
More information about the samba-technical
mailing list